Method for implementing a private-key communication protocol between two processing devices

ABSTRACT

A method for implementing private key protocols between two processing devices of which at least one is a portable storage medium. The devices are fitted with a digital processing circuit for performing modular calculation operations with a view to executing operations such as modular multiplication, the processing circuit is used to implement a private key encryption function consisting of a series of reversible operations comprising at least a combination of two operations, i.e. a modular calculation operation and a binary logic operation, and said function is applied either for encrypting or signing messages to be transmitted, or for decrypting received messages.

The present invention relates to a process for implementing acommunications protocol between two processing devices, at least one ofwhich is a portable storage device such as a smart card.

BACKGROUND OF THE INVENTION

Data confidentiality is currently a major concern. It is clear that datain all their forms have intrinsic value that is often difficult toevaluate. Much of the wealth of a corporation or even a country residesin this growing volume of paper and electronic documents that condenseits past, present, and even future activities. Paper documents thatjustified protection were hidden, concealed in locations that were madeas difficult as possible to access. The spread of e-mail and electronicfiling renews the problem and spurs a search for solutions to theproblem.

Answers in this field are based on the concept of secret data beingshared by a group of individuals at a given time. The processesimplemented to date were based on simple operations that could becarried out on any device capable of elementary operations (binaryaddition, shifting, permutations, etc.).

The very nature of these processes implies lengthy and particularlypainstaking design to build a machine whose logic is virtuallyerror-free and whose errors are in any event never fatal. Theconfidentiality or secrecy of the data, on which all system securitydepends, would indeed be broken if the data transmitted between thedevices were not kept secret, and this disclosure would then cause thesecurity of the system to fail.

The design of effective protocols thus represents a particularly largeinvestment in time and resources. Also, there is a relationship betweenmaximum security and the quantity of information to be processed.

BRIEF SUMMARY OF THE INVENTION

The present invention solves this problem and in particular eliminatesmanufacturing shortcoming due to the fact that system reliability doesnot rest solely on the secrecy of the information held in thisequipment.

According to the invention, it is proposed to divide this constraintbetween the secret held and the processing accomplished, namely theprotocol itself.

For this purpose, according to the invention, the process enablessecret-key cryptographic protocols securely contained in (hardware orsoftware that are) dedicated to the performance of complex calculations(for example operations employing modular calculation) in the frameworkof public-key cryptographic protocols (DH, El Gamal, Schnorr,Fiat-Shamir, etc.).

Devices equipped with calculation resources for performing complexoperations (such as modular calculation) are currently known; forexample circuits such as the ST16CF54 circuit by the Societe Thomson,83C852/5 by the Philips Company, or SLE 44CP200 can be cited.

According to the invention, such a resource is used judiciously, namelyusing operations that take little time but whose effects on data areeffective in terms of encrypting and keeping secret the informationprocessed. The principle is to combine operations that callsimultaneously on resources dedicated to complex operations in thedevice itself, whatever its nature (simple application-oriented computerof the 8051 or 6805 type, processors of the 80x86 or 680x0 family,advanced processors Pentium, Alpha chips, SUN, or RISC), and parallelprocessors (Hypercube for example) combining cleartext information witha secret key to obtain an enciphered message that only a personpossessing the secrecy protocals can decipher.

Thus, the invention proposes a highly securitized system wherein modularcalculation can have a large number of bits, for example 80, 160, or 512or more, requiring only the combination of two operations.

The present invention relates in particular to a process forimplementing a secret-key protocol between two processing devices, atleast one of which is a portable storage device, principallycharacterized by comprising the following stages:

equipping the devices of a digital processing circuit able to performoperations of the modular calculation type to carry out operations suchas modular multiplication,

using this processing circuit to implement a secret-key encipheringfunction composed of a sequence of reversible operations comprising atleast the combination of two operations, one of the modular calculationtype and the other in binary logic,

applying this function either to messages intended for transmission toencipher or sign them, or to received messages to decipher them.

To process messages of any length, each message is first divided into qblocks×N bits.

According to another aspect of the present invention, the secret-keyenciphering function comprises a combination of two operations, one ofwhich is permutation that uses modular multiplication and the other anOR-exclusive logic operations where f is such that:

f(x)=(x⊕K ₂)* K ₁ mod n

wherein

x represents a block of N message bits

K₁ and K₂ represent a first and second secret key with N bits,

n is an odd number of N bits

⊕ is an OR-exclusive operation

* is a modulo multiplication operation n

According to another feature of the invention, the user can choose K₁≠K₂or K₁=K₂.

According to another feature of the invention, when a device is sendingmessages, it performs a first operation on the message by applying thechosen function f iteratively to each block x_(i).

Preferably, an iteration number p equal to at least 4 is used.

Thus, according to a first embodiment, devices A_(j) and A_(k)communicate with each other according to the following protocol:

device A_(j) enciphers each block x of message M previously divided into(q+1) blocks of N bits such that each enciphered block y of the messageis such that:

E(x)=f ^(p)(x)⊕K mod n=y,

p being greater than or equal to 4,

the device sends the (q+1) y blocks to device A_(k),

device A_(k) carries out the following operation on each y:

D(y)=g ^(p)(y)⊕K mod n=x, to decipher block y,

 in order to decipher y and obtain x, the function g being the inversefunction of f such that:

g(y)=(y*K ⁻¹ mod n)⊕K,

y representing a block of N bits of the cipher.

The power p indicates that functions f and g are composed p times asfollows: f^(p)(x)=f(f(f f(x)) )). Hence, function f is appliediteratively. The proposed number of iterations guarantees bettersecurity of the protocol. Practically speaking, hashing the messageconsists for example of carrying out the following steps:

E(x _(i))=f ⁴(x _(i))⊕K mod n

(1) The cipher y₁ of the first block x₁ of the message is calculated:y₁=E(x₁)

(2) For the remainder of the x_(i) blocks of the message, the followingcalculation is performed:

y_(i)=E(x_(i)⊕y_(i−1))⊕y_(i−1) and the last block is taken as the hashedvalue of the message.

According to another embodiment, when devices A_(j) and A_(k)communicate with each other, device A_(j) first divides the message intoq+1 blocks of N bits and places the blocks in two registers. One blockx_(i) of one message is placed in a first register and the next blockx_(i+1) is placed in the second register. When device A_(j) sends amessage, it enciphers this message with a cipher function f such that:

E(x _(i) ,x _(i+1))=f ^(p)(x _(i) , x _(i+1))

with f(x_(i), x_(i+1))=y_(i), y_(i+1)

where y_(i)=x_(i+1)

y_(i+1)=x_(i)⊕((y_(i)⊕K₂)* K₁mod n)

The device sends the (q+1) y blocks to device A_(k).

Device A_(k) performs the following operation on each block y_(i):

D(y _(i) ,y _(i+1))=g ^(p)(y _(i) , y _(i+1))

so as to decipher (y_(i), y_(i+1)) and obtain (x_(i), x_(i+1)), thefunction g being the inverse function of f, this function being definedby:

g(y _(i) ,y _(i+1))=x _(i) ,x _(i+1)

where X_(i+1)=y_(i) and

x_(i)=y_(i+1)⊕((x_(i+1)⊕K₂)* K₁ mod n)=y_(i+1)⊕((y_(i)⊕K₂)* K₁ mod n)

device A_(k) thus reconstituting the message.

The reverse application for deciphering is of exactly the same type asthe direct application. Hence it is possible to construct a symmetricenciphering system by composing several functions f as above.

In this case, the number of iterations will be chosen to be greater thanor equal to eight in order to give good security.

The protocol based on this function allowing a block x to be encipheredand a block y of the cipher to be deciphered will be the following:

E(x)=f⁸(x)⊕K mod n=y, to encipher block x,

D(y)=g⁸(y)⊕K mod n=x, to decipher block y, with g being the inverse of fas defined above, and y representing a block of N bits of the cipher.

The enciphering functions described above can be used to hash messagesof any length.

A message is hashed by combining the block to enciphered block valuesand retaining only the last enciphered value which represents the hashedvalue of the message.

In practical terms, hashing a message consists of carrying out thefollowing steps:

 E(x _(i) , x _(i+1))=f ⁸(x _(i) , x _(i+1))

(1) The cipher (y₁, y₂) of the first two blocks (x₁, x₂) of the messageis calculated: y₁, y₂=E (x₁, x₂).

(2) For the rest of the pairs of blocks, (x_(i), x_(i+1)) of themessage, the following calculation is carried out:

y_(i), y_(i−1)=E(x₁⊕y_(i−2), x_(i+1)⊕y_(i−1))⊕(y_(i−2), y_(i−1)) and thelast block is taken as the hashed value of the message.

The length N in bits of the modulo, the keys, and the blocks to beenciphered or hashed will preferably, depending on the devices used,consist of 80 bits or 160, 512, 640, 1024, or more. The number used asthe modulo will be odd.

Preferably, the number n=2^(N)−1 will be used.

The portable devices will be smart cards or PCMCIA cards, badges,contactless cards, or any other device equipped with a security module.

The signals exchanged may be electrical signals or infrared signals orradio waves.

Other features and advantages of the invention will emerge more clearlyfrom the description provided as an indication and without limitationhaving regard to the drawings wherein:

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram of a device implementing the process according tothe present invention.

FIG. 2 is a diagram illustrating data transmitted between a device A_(j)and another device A_(k) using a digital processing circuit according tothe invention during a message enciphering/deciphering phase.

DETAILED DESCRIPTION OF THE INVENTION

In the remainder of the description, for simplicity's sake, the case ofa smart card will be taken as an example of the processing device.

According to the invention proposed, each smart card is composed of aprocessing unit CPU 11, a communications interface 10, a random-accessmemory (RAM) and/or a read-only memory (ROM) 14, and/or a read-onlymemory (generally reprogrammable) (EPROM or EEPROM) 15. Each card canencipher and/or decipher messages according to the procedures proposed.

The CPU unit 11 and/or ROM 14 of this smart card contain programs orcalculation resources that allow arithmetical operations to be performedrapidly on large numbers, particularly multiplications, inversecalculations, and modular reductions. In known fashion, some of theseoperations can be grouped (for example modular reduction can beintegrated directly into multiplication).

In the same way as for implementation of an algorithm such as DES, theRAM memory contains block x on N bits of message M to be enciphered. TheE(E)PROM memory 15 contains keys K, K₁, and K₂.

In known fashion, the CPU unit 11 controls, via address and data buses16, the communications interface 10 and the memory read and writeoperations 13, 14, and 15.

Each smart card is protected from the outside world by physicalprotections 17. These protections must be sufficient to prevent anyunauthorized entity from obtaining the secret key K.

The techniques in commonest use today in this field are building thechip into a security module and equipping chips with devices capable ofdetecting changes in temperature and light as well as abnormal voltagesand clock frequencies. Special (but known) design techniques such asscrambling the memory access are also used.

As shown in FIG. 2 there are two devices A; and A_(k).

A device utilizing a security module with the same functions as a smartcard can carry out the enciphering and deciphering operations in thesame manner.

Within the general framework of the proposed invention, implementationof a symmetrical enciphering algorithm employing resources normally usedfor public-key cryptographic operations is carried out by taking thefollowing steps and exchanging at least the following signals betweenthe card and the verification device which, according to the invention,can be another card:

First, the device A; enciphering a message of length L divides themessage to obtain (q+1) blocks of N bits. If L=(q*N+r) bits, with r<N,the device divides the message into q+1 blocks, namely q blocks oflength N bits and one block of r bits.

It completes the (q+1) i'th block with zeros in order to have q+1 blocksof N bits, then it enciphers each block x_(i) by performing thefollowing calculation:

E(x _(i))=f⁴(x _(i))⊕K mod n=y _(i)

with f(x_(i))=(x_(i)⊕K)* K mod n

K representing the secret key over N bits

n being an odd number of N bits, and

⊕ being the exclusive OR and * the multiplication modulo n

It then sends the (q+1) y_(i) blocks of the cipher to the decipheringdevice.

The message deciphering device A_(k) makes the following calculation oneach block y_(i):

D(y _(i))=g ⁴(y _(i))⊕K mod n=x _(i), to decipher block y _(i),

with g(y)=(y*K⁻¹ mod n)⊕K.

It finally reconstitutes the message M=x₁|x₂|. . . |x_(i+1)

A second variant of the present invention has the objective of offeringa second symmetrical enciphering embodiment calling on resourcesnormally used for public-key cryptography, working on two registers of Nbits containing the blocks of the message to be enciphered.

The device enciphering a message of length L divides it as describedhereinabove.

For a message of length L= (q*N+r) bits, with r<N, it divides thismessage into q+1 blocks, namely q blocks of length N bits and one blockof r bits. It completes the (q+1) i'th block with zeros, and encipherseach block x_(i) using the following calculation:

E(x _(i) , x _(i+1))=f ⁸(x _(i) , x _(i+1))

with: f(x_(i), x_(i+1))=y_(i), y_(i+1)

where y_(i)=x_(i+1)

y_(i+1)=x⊕((y_(i)⊕K₂)* K₁ mod n)

K₁ and K₂ representing the secret keys over N bits

n being an odd number of N bits, and

⊕ being the exclusive OR and * the multiplication modulo n

It then sends the (q+1) y_(i) blocks of the cipher to the decipheringdevice.

The device deciphering the message makes the following calculation oneach block y_(i):

D(y _(i) ,y _(i+1))=g ⁸(y _(i) , y _(i+1))

with: g(y_(i), y_(i+1))=x_(i), x_(i+1)

where x_(i+1)=y_(i)

x _(i) =y _(i+1)⊕((x _(i+1) ⊕K ₂)* K ₁ mod n)=y _(i+1)⊕((y _(i) ⊕K ₂)*K₁ mod n)

Finally it reconstitutes the message M=x₁|x₂|. . . x_(i+1)

As an example, for better understanding of the processing in the casewhere two interactions were performed on function f, one would have:

f ²(x _(i) ,x _(i+1))=f(x _(i+1) , x _(i)⊕((x _(i+1) ⊕K ₂)*K ₁ mod n)=y_(i) , y _(i+1)=(x _(i)⊕((x _(i+1) ⊕K ₂)*K ₁ mod n,(x _(i+1)⊕((y _(i) ⊕K₂)*K ₁ mod n)

The process according to the invention also allows messages to be hashedin order for example to apply it to calculating electronic signatures orimplementing secrete-key protocols as defined above. For example, thetwo algorithm-enciphering functions described above would be used tohash messages in the following manner:

According to a first variant: E(x_(i))=f⁴(x_(i))⊕K mod n

(1) The cipher y₁ of the first block x₁ of the message is calculated:y₁=E(x₁)

(2) For the rest of the blocks x₁ of the message, the followingcalculation is made: y_(i)=E(x_(i)⊕y_(i−1))⊕y_(i−1) and the last blockis taken as the hashed value of the message.

According to a second variant: E(x_(i), x_(i+1))=f⁸(x_(i), x_(i+1))

(1) The cipher (y₁, y₂) of the first two blocks (x₁, x₂) of the messageis calculated: y₁, y₂=E(x₁, x₂)

(2) For the rest of the pairs of blocks (x_(i), x_(i+1)) of the message,the following calculation is performed:

What is claimed is:
 1. A process for implementing a secret key protocolbetween first and second processing devices (Aj, Ak) wherein each deviceincludes a digital processing circuit to perform modular calculations,comprising the steps of: implementing in said processing circuit asecret key enciphering function composed of a sequence of reversableoperations comprising at least the combination of two operations, one ofthe modular calculation type and the other in binary logic, applyingsaid function either to outgoing messages to encipher them, or toincoming messages to decipher them, effecting in said digital processingcircuit a dividing of said messages (m) into blocks (x) of N bits priorto said applying step and then processing said divided message inaccordance with said applied functions, and said sequence of operationscomprises at least a combination of two operations, one of which is apermutation using modular multiplication and the other an OR-exclusivelogic operation, this combination being defined by a secret-keyenciphering function f such that:  f(x)=(x⊕K ₂)*K ₁ mod n wherein: xrepresents a block of N bits of the message, K₁ and K₂ represent a firstand a second secret key over N bits, n is an odd number of N bits, ⊕ isan exclusive OR operation., * is a multiplication modulo n operation. 2.Process according to claim 1, characterized in that, when a device sendsmessages, it performs a first action on the message (m), consisting ofapplying the function f iteratively to each block x_(i).
 3. Processaccording to claim 1, characterized in that the devices communicate witheach other according to the following protocol: the first device (A_(j))divides the message (m) into (q+1) blocks of N bits said first device(A_(j)) enciphers each block x of the message such that the encipheredblock y of the message is such that: E(x)=f ^(P)(x)⊕K mod n=y,  p beingan iteration number, the first device sends the (q+1) y blocks to thesecond device (A_(k)) the second device (A_(k)) carries out thefollowing operation on each y:  D(y)=g^(P)(y)⊕K mod n=x, to decipherblock y, in order to decipher y and obtain x, the function g being theinverse function of f such that: g(y)=(y* K ⁻¹ mod n)⊕K, y representinga block of N bits of the cipher.
 4. Process according to claim 1,characterized in that in the first device (A_(j)) the message (m) isdivided into (q+1) blocks (x) of N bits, in that a block x_(i) of onemessage is placed in a first register, the next block x_(i+1) is placedin a second register, and the device sends the enciphered messages afterthe operation of applying the function f such that E(x _(i) ,x _(i+1))=f^(p)(x _(i) , x _(i+1)) where p being an iteration number with f (x_(i),x_(i+1))=y_(i), y_(i+1) where y_(i)=x_(i+1) y_(i+1)=x_(i)⊕((y_(i)⊕K₂)*K₁ mod n) the first device sends the (q+1) y blocks to the second device(A_(k)), and the second device (A_(k)) performs the following operationon each block y_(i): D(y _(i) ,y _(i+1))=g ^(p)(y _(i) ,y _(i+1)) so asto decipher (y_(i), y_(i+1)) and obtain (x_(i), x_(i+1)), the function gbeing the inverse function of f, this function being defined by: g(y_(i) ,y _(i+1))=x _(i) ,x _(i+1) where X_(i+1)=y_(i)x_(i)=y_(i+1)⊕((x_(i+1)⊕K₂)* K₁ mod n)=y_(i+1)⊕((y_(i)⊕K₂)* K ₁ mod n)whereby the second device (A_(k)) thus reconstituting the message. 5.Process according to claim 4, characterized in that the processingcircuit is used to hash the message and in that, when the first device(A_(j)) hashes a message M of length L, the circuit performs thefollowing steps: E(x _(i) ,x _(i+1))=f ⁸(x _(i) ,x _(i+1)) (1) Thecipher (y₁, y₂) of the first two blocks (x₁, x₂) of the message iscalculated: y₁, y₂=E(x₁, x₁). (2) For the rest of the pairs of blocks(x_(i), x_(i+1)) of the message, the following calculation is carriedout: y_(i), y_(i+1)=E (x_(i)⊕y_(i−2), x_(i+1)⊕y_(i−1))⊕(y_(i−2),y_(i−1)) and the last block is taken as the hashed value of the message.6. Process according to claim 1, including generating a hashed value ofthe message (m) and in that when the first device (A_(j))hashes themessage (M) of length L, the following steps are carried out E(x _(i))=f^(p)(x _(i))⊕K mod n wherein p is an iteration number; (1) The cipher y₁of the first block x₁ of the message (m) is calculated: y₁=E(x₁) (2) Forthe rest of the blocks x_(i) of the message, the following calculationis performed: y_(i)=E(x_(i)⊕y_(i+1))⊕y_(i−1) and the last block is takenas the hashed value of the message.
 7. Process according to claim 1,characterized in that the modular calculation involves a large number.8. Process according to claim 1, characterized in that the devices aresmart cards, PCMCIA cards, badges, contactless cards, or any otherportable apparatus or device equipped with a security module possessingthe same functions as said portable devices.
 9. Process according toclaim 1, characterized in that communication between each device iseffected by exchanging radio waves or infrared signals.
 10. A processfor implementing a secrete-key protocol between two processing devices(Aj, Ak), at least one of them being a portable storage device,comprising the following steps: equipping the devices with a digitalprocessing circuit able to perform operations of the modular calculationtype to carry out operations, using this processing circuit to implementa secret-key enciphering function composed of a sequence of reversibleoperations comprising at least the combination of two operations, one ofthe modular calculation type and the other in binary logic, applyingthis function either to messages for transmission to encipher them, orto received messages to decipher them, wherein in one device the messageis divided into (q+1) blocks of N bits, in that a block x_(i) of onemessage is placed in a first register, the next block x_(i+1) is placedin a second register, and the device sends the enciphered messages afterthe operation consisting of applying a function f such that E(x_(i),x_(i+1))=f^(p)(x_(i), x_(i+1)) with f (x_(i), x_(i+1))=y_(i), y_(i+1)where y_(i)=x_(i+1) and p being and iteration number  y _(i+1) =x_(i)⊕((y _(i) ⊕K ₂)*K ₁ mod n) the one device sends the (q+1) y blocksto the other device (Ak), the other device (A_(k)) performs thefollowing operation on each block y_(i): D(y _(i) ,y _(i+1))=g ^(p)(y_(i) ,y _(i+1)) so as to decipher (y_(i), y_(i+1)) and obtain (x_(i),x_(i+1)), the function g being the inverse function of f, this functionbeing defined by: g(y _(i) ,y _(i+1))=x _(i) ,x _(i+1) wherex_(i+1)=y_(i) x_(i)=y_(i+1)⊕ ((x_(i+1)⊕K₂)* K₁ modn)=y_(i+1)⊕((y_(i)⊕K₂)* K₁ mod n) whereby the other device (A_(k)) thusreconstituting the message.
 11. The process according to claim 10,wherein the processing circuit is used to hash the message and in that,when the one device (A_(j)) hashes a message M of length L, the circuitperforms the following steps: E(x _(i) , x _(i+1))=f ⁸(x _(i) ,x _(i+1))(1) the cipher (y₁, y₂) of the first two blocks (x_(i), X₂) of themessage is calculated: y₁, y₂=E(x₁, x₁), (2) for the rest of the pairsof blocks (x_(i), x_(i+1)) of the message, the following calculation iscarried out: y_(i), y_(i+1)=E (x_(i)⊕y_(i−2), x_(i+1)⊕y_(i−1))⊕(y_(i−2),y_(i−1)), and (3) the last block is taken as the hashed value of themessage.
 12. Process according to claim 3 or 4 or 6 or 8 or 10,characterized in that the iteration p is greater than or equal to 4.